Coordinating Incident Response at Internet Scale (CARIS)

Kathleen Moriarty

Security Area Director

21 Mar 2015

Coordinating incident response at Internet scale as a concept sounds fabulous, but can we achieve it? What will it take?

For those working in incident response and information sharing efforts, we know there is much to be done. While there is lots of good work progressing this area of information security, there are still very few resources skilled in forensics and mitigating threats. The CARIS workshop will bring together the diverse sets of experts to collaborate and better scale their efforts.

Last year, I wrote a blog series on the problems in the space with some ideas on how we might be able to progress in a way that helps not only the large organizations with resources to participate, but also smaller organizations with no resources. The smaller organizations are part of the supply chain, hence the motivation to assist them. You can find more information in the blog series: Driving Towards More Effective Sharing Models.

One of the key takeaways, is the need for coordination among those driving efforts to progress this space including those running attack type mitigation efforts (APWG, ACDC, etc.), operators at service providers, regional CSIRTs, security professionals at large organizations, researchers, and vendors. Coordination requires getting these folks into the same room to see how we might collectively advance this space and have a greater impact with the few resources dedicated to these activities. The Internet Architecture Board (IAB) and the Internet Society (ISOC) CARIS workshop is set to take place on June 19th on the last day of the FIRST conference in Berlin.

CARIS will be run as a workshop to allow for active participation of attendees with a requirement to submit a research paper or fill in a template on your organizations sharing and mitigation efforts. All research papers accepted will be published on the IAB CARIS site and the template information will be shared out with participants via ISOC. The template will provide information needed for organizations to participate in each other’s efforts, potentially reducing duplication of effort and improve scaling of resources. This increased coordination of threat information may help with automation through the involvement of vendors. Additionally, the increased coordination could assist with the ability to directly address threats where they can be mitigated or stopped by service providers, CSIRTS, or threat specific working groups.

One goal of this coordination is to more efficiently address threats for all, rather than limiting activity to sharing by organizations with adequate resources. This requires coordination among those with resources. The database of sharing efforts has the potential to increase collaborative efforts by involving communities such as the service providers and vendors who might be able to more quickly address such threats. Bringing this diverse crowd into a full day workshop could be a catalyst to enable future collaboration between organizations. We look forward to your submission and collaboration! The call for papers is open until April 3, 2015.